The Bitfinex Bitcoin Hack: What We Know (And Don’t Know)

More than $60m worth of bitcoin was stolen from one of the world's largest digital currency exchanges yesterday, and nearly 24 hours later, the event is still shrouded in mystery.

What is clear, though, is that the impact is far-reaching.

The Bitfinex theft represents the largest loss of bitcoins by an exchange since Japan's infamous Mt Gox lost 744,408 BTC in early 2014 (worth $350m), a breach that would ultimately cause it to cease operations.

At press time, the value of the 119,756 BTC stolen from Bitfinex stands at roughly $66m, or about 18% of what was lost by Mt Gox.

Given the size, the theft has sparked confusion and frustration among market traders and observers since it was announced.

Sources close to the exchange have largely avoided offering comment on whether the 119,756 BTC stolen represents the full extent of the hack, and Bitfinex itself has yet to publish any findings from its ongoing internal investigation.

Here’s what we know (and what we don’t know) so far:

What we know

Multi-signature accounts were impacted

The source of the vulnerability appears to lie in how Bitfinex structured its accounts and its use of bitcoin wallet provider BitGo as an additional layer of security on customer transactions.

Announced in 2015, Bitfinex and BitGo created a system whereby multi-signature wallets, those where keys are divided among a number of owners to manage risk, would be provided to each customer.

The exchange declared at the time:

"The era of commingling customer bitcoin and all of the associated security exposures is over."

As referenced in the quote, the companies sought to find an alternative to the standard process used by exchanges at the time that saw customer funds co-mingled in larger offline wallets and connected or "hot" wallets used to meet liquidity demands.

Rather, each Bitfinex user has their own set of keys created on the platform, using a 2-of-3 key arrangement whereby Bitfinex held two of the keys (including one offline) and BitGo used the third to co-sign transactions.

In order to withdraw such a large amount of funds, BitGo would likely have had to sign off on those transactions.

Bitfinex customer losses significant

While the full extent of customer losses on an individual basis is unclear, signs indicate a significant subset of the bitcoin trading community was impacted.

In the hours following the news, community members took to Twitter and Reddit to report that their accounts had been drained.

Some users expressed exasperation despite having security measures like two-factor authentication in place, in which secondary devices (like a mobile phone) are used to provide an additional passkey layer.

On the other hand, funds transferred to the exchange following the hack are said to be secure, but the exchange has yet to release details on both when and how withdrawals will be managed.

Bitcoin prices have fallen sharply

One of the most direct impacts of the Bitfinex hack could be seen in the price of bitcoin, which plunged after the news broke.

Prices fell by nearly 20%, tumbling as low as $480 USD before recovering.

At press time, the price of bitcoin is approximately $552, according to the CoinDesk Bitcoin USD Price Index, up roughly $70 from yesterday's low.

Bitfinex remains offline

Alos at press time, Bitfinex remains offline, with its message announcing the hack still visible to users.

Statements from Bitfines suggest that the company is looking to initially bring the site online so that users can check their balances and determine whether their accounts have been drained.

What we don’t know

Who is to blame?

Given the amount of money involved, many in the community have been searching for a scapegoat.

One obvious target has been Bitfinex itself, which had possession of two of the three private keys needed for the funds lost from multi-signature accounts. Others have questioned whether weaknesses in BitGo's model were exposed in the incident as well.

Yesterday, BitGo took to social media to state that an internal investigation had turned up no evidence of a server breach on their end.

Yet despite the assurances, some observers have blamed the service for "blindly signing" the withdrawal of nearly 120,000 BTC and wondered why no potential countermeasures were in place in the event of a movement of funds of that size.

With 30-day transaction volumes just above 600,000 BTC, the hack was roughly one-sixth of the size of the exchange's monthly orders.

The National Crowdfunding Association of Canada (NCFA Canada) is a cross-Canada non-profit actively engaged with both social and investment crowdfunding stakeholders across the country. NCFA Canada provides education, research, leadership, support and networking opportunities to over 1300+ members and works closely with industry, government, academia, community and eco-system partners and affiliates to create a strong and vibrant crowdfunding industry in Canada. Learn more at ncfacanada.org.